Internal Audit Report

Transcription

1 Internal Audit Report Key Financial Controls Payroll (non-schools) March 2018 To: Chief Executive Interim Assistant Chief Executive HR Strategic Lead Interim Director of Resources Head of Finance Copied to: Finance Director, CSG Operations Director, CSG HR Director, CSG Operations Director, CSG HR Assistant Director of Finance, CSG HR Team Leader, CSG Payroll Team Manager, CSG We would like to thank management and staff of the CSG Payroll and Finance teams for their time and co-operation during the course of the internal audit. Cross Council Assurance Service

2 Table of Contents 1. Executive Summary 2 2. Summary of results and assurance ratings 3 3. Detailed operating effectiveness results 4 4. Control design recommendations Follow-up on 2016/17 control design recommendation 15 Appendix A: Definition of risk categories and assurance levels in the Executive Summary 18 Appendix B: Background and context 19 Appendix C: Internal Audit roles and responsibilities 20 Cross Council Assurance Service

3 1. Executive Summary Introduction The review of key financial controls has been agreed in the Internal Audit and CAFT Plan Background & context As part of this review we confirmed and updated our prior year understanding of the key controls operating within Barnet s key financial systems to ensure that our work is up to date and relevant. We then devised an overarching programme of testing across the different systems and processes to give assurance on the effectiveness of these key controls. This report summarises the audit work undertaken covering the period from 1 February 2017 to 31 December 2017 over non-schools payroll. Our work has now been completed in line with the Terms of Reference. We have found that the control environment has deteriorated in the period, with control operating exceptions noted in eight areas (three in 2016/17) and control design exceptions noted in four areas (two in 2016/17). This report consists of the following sections: Part 1: Executive Summary provides background and context to the report. Part 2: Summary of Results - sets out an overview of the number of findings and assurance ratings for each individual system; Part 3: Detailed Operating Effectiveness Results - explains in detail the exceptions we found for each test area where we found non-compliance with the intended controls; Part 4: Control Design Recommendations - highlights the areas where the design of controls could be improved to enhance the control environment or to improve efficiency; and Part 5: Follow up on 2016/17 control design recommendations - sets out in detail a control design issue raised in 2016/17 and confirms if the recommendation has been implemented. 2

4 2. Summary of results and assurance rating Department Overall Opinion 2017/18 Overall Opinion 2016/17 Direction of Travel Number of controls tested Controls where operating exceptions were found Control design exceptions found Comments 2017/ / / /17 Non-schools payroll Limited Reasonable * 2 *The two control design issues noted in the previous period have not yet been fully resolved. 3

5 3. Detailed operating effectiveness results 1) Non-schools Payroll Control Ref Control Tested Exceptions Exception details P1 Payroll reconciliation between payroll and GL (control performed by the Finance team) Reconciliations are performed on a monthly basis. They are performed by an appropriate member of the finance team and reviewed by a senior member of the finance team. 100% Control Operating Effectiveness Medium Risk We requested a sample of two reconciliations performed between 1 February 2017 and 31 December 2017 (the reconciliations for August and December 2017). We were informed that due to staffing pressures, this did not take place on a monthly basis during 2017/18. A reconciliation between payroll and the general ledger is carried out as part of year end finance processes. Management Response and Agreed Action: Management will reinstitute a monthly process for 2018/19 to ensure that the payroll system and general ledger are reconciled and any discrepancies are investigated in a timely manner. Responsible Officer: Payroll Team Manager Target date: 31/07/2018 4

6 Control Ref Control Tested Exceptions Exception details P2 Reconciliation of payment runs to BACS listings Each payment run is reconciled to the BACS / cheque listings and is authorised. The Payroll Supervisor then authorises release of the BACS transmission. 50% Control Operating Effectiveness Low Risk We requested a sample of two reconciliations performed between 1 February 2017 and 31 December 2017 (the reconciliations for August and December 2017). We identified the following exceptions: 1/2 (50%) of BACS secondary authorisations viewed was not dated, and as such we were unable to tell whether this authorisation took place in a timely manner. An additional issue was identified, as the reconciliation process usually includes agreeing BACS listings through Control Total Reports to the final BACS transmission amount. In December 2017, the Control Total Report was not produced. This has been raised as an exception under control P8. Agreed Actions: The process notes within the monthly payroll processing runsheet will be updated to mandate that preparers and reviewers both sign and date the reconciliation documentation to demonstrate timely reconciliation of the payment run to the BACS listings. Responsible Officer: Payroll Team Manager Target date: 31/07/2018 P3 Starter form Starter forms with relevant information are fully completed and authorised by an appropriate member of staff (as per the scheme of delegation) who is different to the preparer. 12% Control Design and Operating Effectiveness Medium Risk A sample of 25 starter forms processed between 1 February 2017 and 31 December 2017 were tested. We identified the following exceptions: 2/25 (8%) starters had starter forms which were prepared and authorised by the same person. As a result, there was no segregation of duties in place around these starter requests. In both cases, the authoriser was the relevant budget holder. 1/25 (4%) starters had no starter form relating to the period of employment under review. The individual had previously been employed by Barnet and had re-joined in the same post, however there was a five-month period in between where they had not been a Council employee. A starter form should exist for each discrete period of employment. The HR business partner for the service area provided evidence that a form had been requested, however as the form was to be returned to the HR Admin inbox rather to the HR business partner, there was no mechanism in place for non-completion to be identified or followed up on. See control design finding in section 4 below. Agreed Actions: 5

7 Control Ref Control Tested Exceptions Exception details 1. The new starter form will be amended to explicitly require two different signatories to demonstrate segregation of duties around preparation and approval of new starter requests and ensure that no forms can be processed without evidence of this. 2. A starter form will be retrospectively created relating to the individual in our sample who did not have a new starter form. Responsible Officer: Payroll Team Manager Target Date: 31/08/2018 6

8 Control Ref Control Tested Exceptions Exception details P4 Leaver form Leaver forms have adequate backing information and are checked and authorised by the HR manager before being received by payroll and processed in the payroll. 16% Control Operating Effectiveness Medium Risk A sample of 25 leavers between 1 February 2017 and 31 December 2017 were tested. We identified the following exceptions: 3/25 (12%) leaver forms were completed and authorised after the leaving date. No overpayments to these leavers were noted. 1/25 (4%) leaver form was undated. As such, it cannot be confirmed whether the request and authorisation occurred before or after the individual s leaving date. These exceptions are because managers in the Council have not followed procedure. The exceptions are thus outside of the payroll team s control, as the payroll team cannot action leavers until they are notified. Agreed Actions: 1. Management will remind staff of the importance of submitting leaver forms prior to the leaving date. 2. As agreed in the Non-Schools Payroll audit in June 2017, CSG Management will report on the instances of late Leaver Form submissions and the financial impact of these late submissions to Council management. 3. Management will consider the introduction of sanctions for managers who are unable to demonstrate that there was a valid reason not to send a form in prior to the leaving date (e.g. the employee left without giving notice). This could be linked to managers corporate objectives around managing budgets. Responsible Officer: Payroll Team Manager Target Date: 31/08/2018 7

9 Control Ref Control Tested Exceptions Exception details P5 Standing data form Modifications to standing data are reviewed for completeness, accuracy and authorisation by an appropriate level of management. 4% Control Operating Effectiveness High Risk A sample of 25 changes to standing data processed between 1 February 2017 and 31 December 2017 were tested. This sample included ten movers forms, nine changes to bank details and six salary/hours changes. We identified the following exception: 1/25 (4%) of bank details changes were not supported by documentation. An amendment to bank details was made so that a severance payment with a value of 6,630 would be made to a relative of the employee, however this amendment was requested by the relative rather than the employee. There was no evidence that the employee had confirmed this request, or that there was Power of Attorney in place which would allow the relative to make this request on their behalf. Agreed Actions: Written guidance around changes to standing data will be developed (see finding P13), which will highlight that no changes can be made to bank or address details without the explicit, written agreement of the individual concerned, or their legal proxy. The process of drafting the guidance will include consideration of whether the existing controls are sufficiently robust. If control weaknesses are noted, additional controls will be put in place to strengthen the process. Responsible Officer: Payroll Team Manager Target Date: 31/08/2018 P6 System access Payroll system access is reviewed on a regular basis and access is only granted to appropriate members of staff. Not tested control design issue identified Control Design Medium Risk The control design issue identified during 2016/17 has not been remedied and we were not able to test the operation of this control. See section 5 of this report for details. 8

10 Control Ref Control Tested Exceptions Exception details P7 Exception reports The system generated exception report indicating unusual payments (i.e. excessively large payments, multiple payments made to the same employee, etc.) is investigated and resolved prior to payment distribution on a monthly basis. Monthly checks are done by administrators, team leader and payroll manager. No exceptions noted. P8 Control total reports The system generated control total report showing cumulative amount payable to third parties (e.g. HMRC, give as you earn, pension) is prepared each month and compared to payments made and the general ledger. 50% Control Operating Effectiveness Low Risk 1/2 (50%) of control total report reconciliations requested had not been performed. The December 2017 control total report was not available to review and management confirmed that one had not been produced. We confirmed that the January 2018 report could be agreed back to the November 2017 report and that no discrepancies were noted. As such there was no financial impact on the Council as a result of this omission. Agreed Actions: The process notes within the monthly payroll processing runsheet will be updated to mandate that the Control Total report for each month is saved within the payroll team s shared drive. Responsible Officer: Payroll Team Manager Target Date: 31/08/2018 9

11 Control Ref Control Tested Exceptions Exception details P9 Overtime payments Overtime payments are at the correct rate, within agreed limits and authorised in line with the scheme of delegation prior to payment. Evidence is retained to demonstrate authorisation. Not tested control design issue identified Control Design Medium Risk The control design issue identified during 2016/17 has not been remedied and we were not able to test the operation of this control. See section 5 of this report for details. P10 Sick Pay Sick pay adjustment is made in line with sick pay policy when CSG receive an appropriately approved Notification of sick leave form. Sick pay is ended when CSG receive an appropriately approved Notification of return to work form. Not tested control design issue identified Control Design Medium Risk A control design issue has been identified relating to this control. See section 4 below for details. P11 Holiday Pay Holiday pay is correctly adjusted for part time employees and for employees carrying over holiday. This calculation is prepared and reviewed by two separate employees Not tested Not tested The control covering holiday pay adjustments within the terms of reference for this review does not operate as described. The only circumstances in which pay is adjusted relating to holidays are when people leave the organisation and are paid in lieu of untaken holiday, or have their final pay adjusted to reflect where they have taken more holiday than they are entitled to. The total value of pay in lieu of holiday in 2017/18 was 119,615. Given the fact that unusually large payments would be identified and investigated through the exception reporting process (control P7), management do not consider holiday pay adjustments to be a key payroll control. 10

12 Control Ref Control Tested Exceptions Exception details P12 Overpayments Overpayments are invoiced in the case of leavers and recovery action is performed or adjusted for in the following month s pay in the case of employees. 60% Control Operating Effectiveness Medium Risk We requested a sample of five overpayments between 1 February 2017 and 31 December 2017, with a value of 13,635. The total value of known overpayments in the period was 98,103. We identified the following exceptions: 1/5 (20%) of overpayments were not chased within three months of the notification date of the overpayment and had not yet been repaid at the date of audit. This overpayment had a value of 3,371. 1/5 (20%) of overpayment chaser letters requested a repayment amount that did not agree to the amount owed (there was a difference of 388 between the two figures). The full amount was received and as a result there was no monetary impact. We were also provided with evidence that one overpayment which did not form part of our sample with a value of 1,854 was absorbed by the budget holder as it was due to an error on the part of HR/payroll and they did not feel that it was fair to require repayment from the former member of staff. No evidence was provided to demonstrate that payroll staff verified that this was a legitimate and approved write-off or that the budget holder had the authority to make this decision before closing the chasing process for this debt. In addition, no evidence was provided that the Council s HR Lead had been alerted that an error had been made by HR/payroll that had a financial impact on the Council. Agreed Actions: 1. LBB will agree a clear documented approach for chasing debt and follow this in all cases. 2. Debt chasing letters will be completed using blank templates, rather than by rolling forward earlier letters, to avoid errors in the amount of repayment being sought. 3. Where overpayments are not recoverable and this is due to HR/payroll errors, a clear agreement will be reached on where the cost of any losses should be borne. 4. Council management will establish, in conjunction with the Council s S151, its position for recovery of overpayments and write-offs. CSG will include reporting of any overpayments and the recovery progress in monthly performance reporting. Responsible Officer: Payroll Team Manager and Strategic HR Lead Target Date: 30/09/18 11

13 P13 Policies and procedures Policies and procedures are reviewed regularly to ensure they are accurate, complete and kept up to date. Policies and procedures are clearly documented and communicated to staff. 58% Control Operating Effectiveness Medium Risk Management provided us with the following policy and procedure documentation: Monthly payroll processing runsheet Unified Reward Policy Absence Management Policy All of these had been updated within the last two years. These documents covered or referred to 5/12 (42%) controls tested: P2 BACS reconciliation P7 exception reporting P8 control totals P9 overtime payments P10 sick pay 7/12 (58%) of the controls reviewed at audit were not covered by the policies and process documents provided: P1 - reconciliation between payroll and general ledger P3 starters P4 leavers P5 changes to standing data P6 systems access to Core P11 holiday pay P12 - overpayments Agreed Actions: Existing policies and process documents relating to Payroll will be reviewed by the Council and updated to reflect the current legislative context and practice at the Council. Where areas are identified which are not covered by current policies and procedures, management will create process notes to ensure that the Council s approach to payroll can be clearly communicated to staff and continuity of practice can be maintained in the event of staff turnover. All policies will be reviewed on an annual basis and updated if necessary. Responsible Officer: Payroll Team Manager Target Date: 31/08/

14 4. Control design recommendations identified March 2018 Control Ref Detailed finding Agreed Action Medium risk P3 Payroll new starter forms On occasion, the addition of new individuals to payroll is expedited to meet payroll deadlines for the month without a new starter form having been received. A form should still be created for all new starters and all new starter forms should be returned to the HR Admin inbox. As this process is usually used to trigger the addition of a new staff member to payroll, if a staff member has already been added to payroll there is no mechanism to identify non-completion of the new starter form. Management will enforce the requirement that no new starters are added to payroll unless a new starter form has been received. This will apply to last minute additions to payroll where exceptions have historically been made and no exceptions will be tolerated in future. Risk Responsible Officer Target date In the absence of the formal new starter process being carried out, people may be added to payroll without formal authorisation by budget holders, and key information about staff members may not be held within the system. Payroll Team Manager 31/07/

15 Control Ref Detailed finding Agreed Action Medium risk P10 Payroll sick pay Sick leave should be authorised by managers within Core. Evidence should be retained to demonstrate authorisation. There is no consistent mechanism for retention of sickness certification documentation across departments. Payroll are not consistently able to access underlying sickness certification documentation signed off by managers, and as a result they are not able to verify the accuracy of sick leave dates within Core. CSG Payroll management confirmed that at the moment there is no facility for Managers to upload evidence directly to Core. Managers are responsible for the record keeping in relation to absence and as such may therefore keep records at a local level. Some choose to send documents to HR, but this is not required. Management will require all sick leave documentation to be sent to HR to ensure that supporting evidence for sick leave is retained centrally and an audit trail can be maintained. Risk Responsible Officer Target date In the absence of underlying sick leave documentation, sickness payments may be made on the basis of inaccurate or incorrectly certified information and management may not be able to gain assurance over the accuracy of information provided through Core. Strategic HR Lead 30/09/18 14

16 5. Follow-up on 2016/17 control design recommendation Detailed finding 2016/17 Risk Agreed action P6 Payroll - system access to Core Medium Risk We reviewed a report of employees who have access to Core, the Council s payroll system. The report was dated 1 February 2017 and showed the last login date for each user along with their access rights. The payroll system access report is not regularly reviewed to ensure that access has only been granted to appropriate members of staff. Management stated that the Service Delivery Manager (Non-schools payroll) had undertaken an exercise in October 2016 following the recommendation in the prior year report. However, the Service Delivery Manager has left and evidence of the review could not be provided. Currently this procedure is not assigned to anyone. The system access report obtained during the audit showed 36 open users. The Operations Director stated that at the time of the audit these users access rights were appropriate based on their roles and responsibilities. This finding was raised in the previous year but there is no evidence to confirm that the risk has been addressed. There is a risk that users have inappropriate access rights and are able to make unauthorised changes to the payroll system which could result in fraud, financial loss or employee dissatisfaction. Payroll system access reports, showing all employees who have access to Core, will be run on a periodic basis and reviewed by the service to ensure that access is only granted to appropriate members of staff and where necessary access to the system has been removed. An audit trail of this review will be retained. A new Monthly User Report will be produced that confirms every new starter and leaver in the month on the Barnet Contract and that access rights to Core have been appropriately updated. Follow-up work performed 2017/18 We requested evidence to demonstrate that a quarterly user access report is sent to each team involved with payroll processing for review and amendment. Management were unable to provide us with evidence that this had happened for the periods requested (covering August and December 2017) and as such we were not able to confirm the operation of this control. Management confirmed that the reviews had happened, however they stated that the relevant s had been archived before the date of audit. They were able to show us s relating to a user access review which took place in February This demonstrated that the action agreed in 2016/17 around retaining an audit trail of user reviews has not been consistently implemented. Management did not provide evidence of the monthly user reports covering starters and leavers which were agreed as an action in 2016/17. Conclusion Partially implemented Agreed Actions: Payroll system access reports, showing all employees who have access to Core, will be run on a periodic basis and reviewed by the service to ensure that access is only granted to appropriate members of staff and where necessary access to the system has been removed. An audit trail of this review will be retained. A new Monthly User Report will be produced that confirms every new starter and leaver in the month on the Barnet Contract and that access rights to Core have been appropriately updated. Revised Implementation date: 31/08/2018 Responsible Officer: Payroll Team Manager 15

17 Detailed finding 2016/17 Risk Agreed action P9 Payroll - Overtime payments Medium Risk Overtime payments should be authorised in line with the scheme of delegation prior to payment. Evidence should be retained to demonstrate authorisation. Overtime payments between 1 October 2016 and 31 January 2017 amounted to 386,461. The overtime payments process is currently very manual. There is no consistent mechanism of recording, authorising and progressing overtime for payment across departments. Generally, we found: An officer will complete an overtime sheet detailing the overtime worked and the line manager will sign this as approved; and These forms are then sent to an employee within the department in question for them to collate the overtime into one spreadsheet. This spreadsheet is then sent to the payroll team to be processed. There is no independent review of the spreadsheet against what the managers have approved and so there is a risk that inappropriate and unauthorised overtime payments are stated on the spreadsheet due to error or fraud. As a result of the above process the payroll team do not see who originally authorised the overtime and are unable to check it was appropriately authorised by an officer with prerequisite delegated authority. Payroll process inappropriate or fraudulent overtime payments that have not been approved by the appropriate manager resulting in financial loss to the Council. a) Both CSG management and Council management will investigate the possibility of creating a more automated process using the Core HR Portal that ensures all payments for overtime hours worked have been approved by the line manager and payroll have oversight of this to ensure that only appropriate overtime payments are processed. b) Finance will run overtime reports to highlight who has received overtime payments to identify any unexpected or unusual overtime payments. Exceptions will be reported back to payroll. CSG management have stated that the functionality exists within the Core HR Portal for submitting and approving overtime. Payroll management stated that finance review a monthly report showing how much overtime has been paid and to whom. This is a potential way for unusual overtime payments to be identified and challenged. However, there is no evidence that demonstrates these reports have been run monthly, scrutinised and the exceptions fed back to payroll. Management also stated that revenue budgetary monitoring will partially mitigate the risk by helping management to identify unusual payments or material changes in payroll. Follow-up work performed 2017/18 We requested evidence to demonstrate that the issues identified at audit in 2016/17 had been remedied. Management confirmed that it is now possible to approve overtime within Core, however system users confirmed that there is an issue within the process which means that overtime which is not approved within a short window of time disappears from the system and has to be re-entered into Core. This overtime can then end up being recognised in the incorrect period. Due to this issue, Core is not currently being used to process overtime payments by all service areas. As such, the first recommendation is deemed not to have been fully implemented. Conclusion Partially implemented Agreed Actions: a) A workshop will be carried out with service areas which are not currently processing overtime through Core to ensure that barriers to use of the system are understood and that mitigating actions can be identified. 16

18 The total value of overtime payments in 2017/18 amounted to 1,061,687. Monthly exception reports (P7) are carried out which will identify variances of over 100, including overtime payments, for investigation. This is deemed to be an adequate control in this area and the second recommendation is deemed to have been implemented. b) A subsequent plan will be discussed and agreed with the Council to mandate a standardised control process across the Council for overtime. Revised Implementation date: 30/09/2018 Responsible Officer: Payroll Team Manager 17

19 Appendix A: Definition of risk categories and assurance levels in the Executive Summary Risk rating Critical High Medium Low Level of assurance Substantial Immediate and significant action required. A finding that could cause: Life threatening or multiple serious injuries or prolonged work place stress. Severe impact on morale & service performance (e.g. mass strike actions); or Critical impact on the reputation or brand of the organisation which could threaten its future viability. Intense political and media scrutiny (i.e. front-page headlines, TV). Possible criminal or high profile civil action against the Council, members or officers; or Cessation of core activities, strategies not consistent with government s agenda, trends show service is degraded. Failure of major projects, elected Members & Senior Directors are required to intervene; or Major financial loss, significant, material increase on project budget/cost. Statutory intervention triggered. Impact the whole Council. Critical breach in laws and regulations that could result in material fines or consequences. Action required promptly and to commence as soon as practicable where significant changes are necessary. A finding that could cause: Serious injuries or stressful experience requiring medical many workdays lost. Major impact on morale & performance of staff; or Significant impact on the reputation or brand of the organisation. Scrutiny required by external agencies, inspectorates, regulators etc. Unfavourable external media coverage. Noticeable impact on public opinion; or Significant disruption of core activities. Key targets missed, some services compromised. Management action required to overcome medium-term difficulties; or High financial loss, significant increase on project budget/cost. Service budgets exceeded. Significant breach in laws and regulations resulting in significant fines and consequences. A finding that could cause: Injuries or stress level requiring some medical treatment, potentially some workdays lost. Some impact on morale & performance of staff; or Moderate impact on the reputation or brand of the organisation. Scrutiny required by internal committees or internal audit to prevent escalation. Probable limited unfavourable media coverage; or Significant short-term disruption of non-core activities. Standing orders occasionally not complied with, or services do not fully meet needs. Service action will be required; or Medium financial loss, small increase on project budget/cost. Handled within the team. Moderate breach in laws and regulations resulting in fines and consequences. A finding that could cause: Minor injuries or stress with no workdays lost or minimal medical treatment, no impact on staff morale; or Minor impact on the reputation of the organisation; or Minor errors in systems/operations or processes requiring action or minor delay without impact on overall schedule; or Handled within normal day to day routines; or Minimal financial loss, minimal effect on project budget/cost. There is a sound control environment with risks to key service objectives being reasonably managed. Any deficiencies identified are not cause for major concern. Recommendations will normally only be Advice and Best Practice. Reasonable Limited An adequate control framework is in place but there are weaknesses which may put some service objectives at risk. There are Medium priority recommendations indicating weaknesses but these do not undermine the system s overall integrity. Any Critical recommendation will prevent this assessment, and any High recommendations would need to be mitigated by significant strengths elsewhere. There are a number of significant control weaknesses which could put the achievement of key service objectives at risk and result in error, fraud, loss or reputational damage. There are High recommendations indicating significant failings. Any Critical recommendations would need to be mitigated by significant strengths elsewhere. No There are fundamental weaknesses in the control environment which jeopardise the achievement of key service objectives and could lead to significant risk of error, fraud, loss or reputational damage being suffered. 18

20 Appendix B: Background and context As part of this review we confirmed and updated our prior year understanding of the key controls operating within Barnet s key financial systems to ensure our work is up to date and relevant. We then devised an overarching programme of testing across the different systems and processes to give assurance on the effectiveness of these key controls. CAM is the process of on-going testing of key controls to assess whether they are operating effectively, and to flag areas and report transactions that appear to circumvent control parameters. We use a combination of manual testing and data mining tools to extract data from the IT system, using pre-determined parameters to check that controls are operating as designed CAM helps to provide regular and timely assurance over the financial systems and informs our opinion of the adequacy and effectiveness of these systems at the year end. Our testing under continuous auditing and monitoring provides the following benefits: Gives management assurance over the operation of key controls during the year; Control weaknesses can be addressed during the year rather than after the year end; and The administrative burden on management is reduced when compared with a full system review, in areas where there is sufficient evidence that key controls are operating effectively. This approach has been agreed as part of the 2017/18 Internal Audit programme and developed in consultation with the owners and operators of the relevant systems. The controls we have tested have been identified through a combination of industry knowledge, historic audit findings and workshops with the key contacts and system owners. All controls have been identified using a risk-based approach. 19

21 Appendix C Internal Audit roles and responsibilities Limitations inherent to the internal auditor s work We have undertaken the review of Key Financial Controls - Payroll, subject to the limitations outlined below. Internal control Internal control systems, no matter how well designed and operated, are affected by inherent limitations. These include the possibility of poor judgment in decisionmaking, human error, control processes being deliberately circumvented by employees and others, management overriding controls and the occurrence of unforeseeable circumstances. Future periods Our assessment of controls is for the period specified only. Historic evaluation of effectiveness is not relevant to future periods due to the risk that: the design of controls may become inadequate because of changes in operating environment, law, regulation or other; or the degree of compliance with policies and procedures may deteriorate. Responsibilities of management and internal auditors It is management s responsibility to develop and maintain sound systems of risk management, internal control and governance and for the prevention and detection of irregularities and fraud. Internal audit work should not be seen as a substitute for management s responsibilities for the design and operation of these systems. We endeavour to plan our work so that we have a reasonable expectation of detecting significant control weaknesses and, if detected, we shall carry out additional work directed towards identification of consequent fraud or other irregularities. However, internal audit procedures alone, even when carried out with due professional care, do not guarantee that fraud will be detected. Accordingly, our examinations as internal auditors should not be relied upon solely to disclose fraud, defalcations or other irregularities which may exist. 20